SecCode: Securing the Wild Wild Web

Inspirational leadership

2012-01-27T19:32:00.000-08:00

I've been working on a technical post for a while now but am slow going. So I wanted to post something else I have been thinking about lately: inspirational leadership. Lately I have been rereading Growing Software: Proven Strategies for Managing Software Engineers by Louis Testa and examining how I have been leading my software team. The book is an excellent survival guide for new development managers and yields some excellent advice on how to build, maintain and nourish a great team. Between this book and another great read Getting Results from Software Development Teams by Laurence J. Peters I have boiled down a few techniques that seem to be working for me.

Communication is Key
This should be no surprise. Maintaining good communication is important in any relationship most especially manager to employee. Communicate frequently with your team and set a standard for how you want your team to communicate with others. For instance, I encourage a high level of follow-up with my team. If they do not understand something or need to ensure the audience of a communication understood their message, follow up. This encourages conversation instead of a "telling" message that I have seen with many technical people. To support this behavior I make sure to turn email communications into conversations until both parties clearly understand each other. Technical people are often quick to email rather than stop by someone's desk or call. Encourage your team to connect to others in the most personal way possible but to follow up with a documented communication (i.e. email) when necessary.

Check-in but don't interrogate
Every morning I make sure to say "Good morning" to each of my team that I encounter. Throughout the day I stop by or give them a call to ask how their day is going and if they need anything from me. This is a balancing act to check-in but not to be interrogating the individual on their daily progress. I try to keep the message short and sweet, "How's it going? Is there anything I can do to help? Do you need anything from me?" I use those three questions a lot to just ping my team to make sure they are not struggling with something that I can help with. Managers are really just support staff to their team. These check-ins allow me to see how I can best support the team.

One on Ones are about the Person, not the Projects
This one is simple, keep one on ones about the individual. Do not let the meeting fall into a project update. One on Ones are to talk about how the person is doing with the company and team. Ask questions like:

How do you think the team is doing?
Are there any questions about a recent change in the company or P&Ps?
What are your future plans? Where do you want to be in 5 years? How can we help you get there?
How am I (as the manager) doing?

Value the ideas
Technical people are often creative people. To a coder, the language is a brush and the software a canvas awaiting a master piece. Software development is an extremely creative process and that creativity needs to be fed often to grow. Creativity feeds off of ideas and to this end, placing value on ideas will encourage techies to generate more and more ideas. I like it when others recognize my idea's merit, so I try to do that for others. I encourage my team to be creative and discover many solutions for a single problem. While not all ideas are actionable, they all feed the team's creativity and yield more ideas...better ideas. I encourage my team to express ideas by placing value on those ideas. Value is shown through support, recognition and even reward (never under estimate the power of a $25 gift card!).

These are a few things that I have found really brighten up my team. What do you do to inspire your team?

Continued discussion: QR Tags and Security

2012-01-09T20:08:00.000-08:00

My newest article just hit the Internet today and I'm pretty psyched about the topic: Tagging (more commonly known as QR Codes but I use the term Tag for Microsoft Tag and QR Codes). A few years ago I saw the start up of Microsoft Tag. I had not heard about QR Codes at the time so the concept of jumping from print to the Internet with a point and click interface was pretty awesome to me. Instantly I saw applications at my work, on side projects, at my karate school and had a brain storm more akin to a tornado. Recently I have had the fortune of implementing some of these solutions and a few security issues came to mind...and then a few more until the tornado became a hurricane threatening to drown the projects.

In the Hakin9 article, I examine three attack vectors using Tags. While I like to play with attack, I enjoy prescribing defense so I thought I would use the blog to discuss some prevention strategies to mitigate your risk of falling victim to a malicious Tag. Here are some tips to avoid a Tag related data compromise:

1. Never click on an unknown Tag: Avoid clicking Tags that you do not have confidence in their intent, the integrity of their publisher or the integrity of distribution. If at any point you are unsure of what a Tag will do after scanning or do not trust the publisher, do not scan the tag. As a motto in security (physical or information) if something does not feel right, it probably is not. Another consideration is the confidence level you have in that the distribution medium has not been tampered with. A Tag in a print magazine that is distributed world wide is less likely to be malicious as compared to a Tag found on a forum. A random tag posted on a blog, forum or web site (or Facebook profile picture) might not be reviewed by an editorial staff. Malicious Tags can sneak in (or be deliberately placed) on these mediums without review or oversight.

2. Your device can be accessed by more than just you: This is a standard CSRF defense but really needs to be considered with Tagging. A CSRF attacks occur when a user (you) do something (like click on a Tag) and a request is sent to the application that does some unintended action (like change your password to something the attacker will know). These attacks only work when you are authenticated to the application being attacked. As diligent computer users, some security aware people log out of the various applications they access through their desktop systems but not their mobile device. We see our mobile device as ours, specific to us and that no one else uses the device. Due to this mindset, we do not perform behaviors to mitigate information exposure (via someone else accessing our device). Yes, this is a generalization and maybe you do not agree but it has been my experience that many average users (non-IT and non-IT Security) people think this way. What many of these people do not realize is that someone can use their device without physical access. Moderns phones are simply tiny computers, some with more power than what might be sitting at the user's desk. Always log out of your applications on your mobile device.

3. Research your scanner: Does your Tag scanner provide some protection mechanisms (like Microsoft Tag)? Cloud based Tag systems can provide a level of protection to users such as a black list filter, identifying known malicious tags as well as publishers. Ensure that your Tag scanner has some defenses in place for you, if not consider another vendor.

4. Don't take candy from strangers: Never ever download anything from a Tag that you are not confident is from a legitimate publisher. Some Tags offer free downloads. Avoid the instant gratification and do some research. Have others downloaded this product? Are they happy? Do your malware detection systems know anything about this?

5. No details, no scan: It is considered a poor practice by mobile marketers to not describe what a Tag will do. Keeping this in mind, do not scan anything that does not tell you explicitly what the Tag will do. If the Tag veers from the description in any way be wary and refer to #4. Marketing people want to encourage you to follow the tag, they know that surprises can lead to confusion and disengagement. Expect an overload of details. If they are not provided, don't scan.

Notice these are mostly user education things and not technology solutions. Just like any other scam, an educated user is your best defense. Tagging is an amazing technology that can empower business but users need to be aware of the risks just like in the early days of email and the web. So read my article in Hakin9 on Mobile Security called Tag: You're infected! and let me know what you think.

Never scan a QR Code you do not know

Finding a addictive burger in Dublin

2012-01-02T18:37:00.000-08:00

I've been trying to write something interesting (or at least some what interesting) each week. Recently I realized that I have had this blog for a long time but have been horrible at maintaining the content on it. No it is not a 2012 resolution to write more but a dedication to becoming a better writer through actually writing more.

To this end, today is a filler day. This is when I do not have something (i.e. a project) that I am ready to write about and will just talk about my thoughts or post a picture. Tonight being the second day of 2012 I wanted to post a picture from a trip I took with my wife almost 4 years ago now. We hopped around northern Europe hitting Ireland, Norway and Iceland. The trip was a blast and forever changed my world view. Being a foodie, two things really made the trip wonderful: great food and memorable locations. Here are a few pictures from my favorite burger joint in the world (even though it is not a burger joint) The Auld Dubliner.

We stumbled on to this place after walking around St. Steven's Green and Grafton Street. I wanted a good Jameson and my wife wanted a good Guinness. We found much more in this little gem. The decor was amazing, the staff were like family and the food embedded a craving in my belly that only an Auld Dubliner burger could quench. If you are in Dublin, Ireland and looking for a tasty burger with a good Jameson, head straight over to the Auld Dubliner and grab one for me.

Enjoy!

Security Code Review vs. Code Review

2011-12-29T19:24:00.000-08:00

Tomorrow I have a code review to lead, well participate in. I usually lead so tomorrow I really need to focus on listening as it is my code that is being reviewed. Not having written any code in a while I was doubly careful but still know that there are significant issues to be addressed (there always are). In thinking about tomorrows review, I remembered a discussion I had once with a PHP friend who asked what the difference was between a security code review and a regular code review.

The question struck me a bit and made me wonder, what is the difference? Was there a difference? Did someone just tack the word "security" on to make the code review sound more interesting? After a bit of research I came to a conclusion - security was the difference. This is not profound or deep, it is pretty obvious and became more and more obvious as I sat in on many code reviews.

Things that are the same
A code review (security or not) has a core focus: talking about the code. This makes Code Review one of the most important practices to building quality, secure code because it analyzes the one common output from a software project: code. Your review can be as structured or loose fits your environment but you need at least four roles (roles not people):

The Author: The person who wrote the code. They are here to learn and explain when the code cannot explain for them.
The Reader: This role reads the code as a narrative to explain to the reviewers what it is doing. This role cannot be held by the author as that will skew the review.
The Secretary: The role who records the notes of the meeting. They are also responsible to bring the notes to the team after the meeting.
The Moderator: The role who keeps the review positive, productive and actionable. This role also ensures the notes from the review are executed after the review.

These roles can be held by a single person (except author and reader) which can produce a code review team of 2 people. Sometimes these smaller groups can produce fast results but beware of always reviewing with the same people. A fresh perspective is always necessary as two reviewers who always work together could start to overlook issues due to a "oh that is their coding style" type mindset.

Another aspect that is the same is the focus on good design and execution not "how I would have done it". As soon as you hear someone say, "well, I would have..." stop right there. Dig in and find out why it should be done a different way. If there is not a good reason, such as a pre-existing standard, then agree to disagree. Code is art and critics rarely agree on what is good, great or horrible.

Things that are different
In a Security Code Review you want to discuss Attack Patterns. Is the code susceptible to an attack pattern such as injection? Does the code mix the Data Channel and Command/Control Channel (which can lead to injection)? If so, why? Is it necessary? As an example of this, anytime you see:

var sql = "SELECT * FROM tbl WHERE ID = " + id + " "

Ask why! What data type is id and how are you sure that you did not just open a SQL Injection attack vector. An excellent introduction to attack patterns can be found at https://buildsecurityin.us-cert.gov/bsi/articles/knowledge/attack/585-BSI.html. Keep a list of attack patterns handy and ask: "Does the code allow this?". Strong knowledge of attack patterns and the OWASP Top Ten will provide useful input to this section of the security code review.

Another activity is the examination of assumptions. Dig in to each assumption and ask what happens if that assumption is false. For instance, if the code assumes Request.Querystring["ID"] will be an integer (using int.Parse(Request.Querystring["ID"]) or something like that) what happens when it is not? A great thinking strategy for this is the concept of Equivalence Partitioning. Using Equivalence Partitioning, you break down the input into valid and invalid partitions. For our above example, Alpha characters would be an invalid partition. What happens when we encounter ?ID=A in the query string? Beyond assumptions of data type validate assumptions in logic. If the developer believes that ID will always be between 1 and 10, ask why and what happens when the business decides to allow ids between 11 and 20.

There is a lot more to a security code review but these two items will get you started in the right direction. As security becomes a larger focus for developers code reviews will become security code reviews (thus why it is important to focus on security education for your devs). Examining attack patterns and assumptions will enable you to produce more secure code. Just remember to dig deep, return to review often and work as a team to discover the most secure, highest quality solution.

My first jQuery Mobile application

2011-12-22T18:36:00.000-08:00

For the past two weeks I have been working on a jQuery Mobile application (http://www.jquerymobile.com). I have been extremely impressed with the capabilities and simplicity of the API. Being familiar with jQuery and jQuery UI the basics were easy to pick up but there have been a few challenges that I encountered as an ASP.NET WebForms developer. One such challenge was implementing the Membership Provider and Role Provider with jQuery Mobile (being that it has some challenges with Postbacks [ http://forum.jquery.com/jquery-mobile/search/postback]).

Why jQuery Mobile?

For this project I needed to build a mobile application that would render the same on multiple device platforms (and gracefully degrade if necessary). jQuery Mobile has excellent cross-device support (http://jquerymobile.com/gbs/) and leverages my pre-existing jQuery skill set. Also, I like web applications. I like JavaScript :) and really enjoy working with jQuery.

Why Web Forms?

Yes, ASP.NET MVC is awesome and yes I do want to move in that direction but again, my skill set has been Web Forms and I did not want to side track my jQuery Mobile project with learning MVC as well. Over the holiday I will be dedicating some time to MVC but for now, I needed to stick to Web Forms.

Bridging the Gap

To bridge between ASP.NET and jQuery Mobile I used the Microsoft Ajax Library. In my mobile application jQuery controls the interface and client side actions. ASP.NET is used to decide what to render to the client based on security and business logic rules. When I need to bridge the two, I cannot use jQuery Mobile to do Postbacks, but can use the Microsoft Ajax Library (included by default in ASP.NET 3.5 and above) to interact with server components. When it came to leveraging my custom Membership Provider, the Microsoft Ajax Library had pre-built components ready to use for this task. Enabling and interacting with them was very easy.

Implementing Membership Provider login with jQuery Mobile

Step 1: Implement the Membership Provider for your Web Forms application

I will not go through the details on this as it has been documented on many other sources such as http://www.asp.net/web-forms/overview/security and http://hakin9.org/flexible-access-online-asp-net%E2%80%99s-access-control-for-the-web/. Follow those links for directions on how to setup the Membership Provider for your site.

Step 2: Setup web.config to enable the Authentication service

To use the client side authentication functions you must first enable the service that will be used to process the authentication. To do this you must add (or uncomment) the following block of code:

<system.web.extensions>
<scripting>
<webservices>
<authenticationservice enabled="true" requiressl="true"></authenticationservice>
</webservices>
</scripting>
<system.web.extensions>

This will enable the authenticationService (see the middle line enable="true". I have also set this to require SSL in transmitting the credentials. This is good practice so that you do not expose a user's credentials as clear text over the wire. This configuration setting tells ASP.NET to prepare an .axd web service that will receive your user's credentials.

Step 3: Add the Authentication service call

Once the web.config is prepped, you are ready to call the service in JavaScript. This is easily done by calling:

Sys.Services.AuthenticationService.login(

username,

password,

true,

"default.aspx",

success,

authFail,

null);

The first and second parameters to this method are the username and password. In this example I have passed in the variables username and password after they have been passed through input validation/ sanitization. Remember to ALWAYS validate input from the user. The third parameter is a boolean value that states whether or not to persist the user's authentication ticket across browser sessions. Fourth, you can define a redirect URL for the system to send the user to after successful authentication. You could pull this from the web.config using a Response.Write for the argument value or any other technique to inject server values into your client side JavaScript (or write the whole JavaScript on the server). Fifth parameter is to pass in any custom information but this value is not used currently by the system. Next you can define your Success and Failure methods (just like any Ajax call) and finally define the User Context which can be passed along to the success/fail methods.

That is all there is to it. Use the Success method to make decisions about what to do after authentication or just let the system process the user to the redirectURL. Using this bridge between ASP.NET and jQuery Mobile, you can use your existing authentication system in your new mobile app. I will add a code sample in the next few days. For now, I need to sleep :)

The Genie and the Bottle

2011-12-13T18:16:00.000-08:00

I've been seeing a lot of people writing lately about the Stop Online Piracy Act (SOPA) and figured I should find out more about this. Turns out the topic is right up my alley, online law (possibly a future career for me :) ). I went over to Wikipedia to see what everyone agrees that SOPA is and how it will impact the online universe. Without diving deep into the contents, the bill basically attempts to protect copyright material and intellectual property by giving the copyright holder legal action against any site that provides or links to a site that infringes copyright. The subtitle for the bill is:

To promote prosperity, creativity, entrepreneurship, and innovation by
combating the theft of U.S. property, and for other purposes.

First off, I find reading bills about cyber law fascinating. To me the Internet is a lawless place where law makers attempt to enforce rules on a chaotic machine of knowledge, entertainment and cute kittens. Secondly, I believe that his bill has its heart in the right place. The idea that ideas will drive the future and that we need to protect those ideas is admirable. While reading this bill I noticed the focus on US property only which I guess makes sense for a US legal system but I would think that our interest (humanity in general) is to protect Intellectual Property for all not just watching out own backs. So while I find this topic interesting and the purpose with good intent, I do not believe that this bill would have much effect other than to create problems for search engines.

I'm not a cyber law expert, nor an expert on this particular bill but as I read it my mind keeps thinking about Napster. Not the Napster of today but the Napster I grew up with; a feeding frenzy of free content that people used constantly to grow their music collection, software and video libraries. I remember talking with my brother about this world of free content built by Napster and the impact of the Metallica lawsuit. He said something to the effect of: "The genie is out of the bottle and the record companies cannot put it back." SOPA is another attempt to put the genie back in the bottle but I am not sure how this would help unless the site was discoverable or known. Maybe Google/Paypal encounter infringing sites often enough to make SOPA successful but to me this is more about trying to control the wild wild web. With broadband capabilities and shrinking file sizes content can be shared fast and free.

I do believe we need some help protecting the products of creative minds online but I'm not sure how we can do that. SOPA is a well intentioned (it seems) attempt to protect US based creators but how else could we do this? Do we needs police or a neighborhood watch?

Forensically sound

2011-07-19T17:49:00.000-07:00

I recently took a Digital Forensics class as part of my graduate school program. In the class we discussed "Forensically Sound" systems. These are applications that have been tested and verified by the forensic community to ensure that their "evidence" is lock-solid in court. Knowing the rigors that some software goes through I had to really scratch my head over this one: http://www.nytimes.com/2011/07/19/us/19casey.html?_r=1&ref=us

Seems as though the designer/developers of CacheBack found some issues in their code after it was used in a recent media drenched trial. Reading this article made me wonder a few questions:

What kind of error makes something appear 84 times when it actually only appeared once? This is more a curious developer question because I like to know how things work.
Is there some kind of test or standards that systems have to meet to be used in investigations? If so, what happened here?
How does this issue affect previous cases where the software was used? Do all trials where the software was used get called into question?

For a project in my forensics class I built a forensic analysis tool. It was a data mining application. I would never put it out for use by a company or investigation team. This tool was built by just me, reviewed by me and I'm the only one saying it works. I feel sorry for the developer of this tool because it is a bummer to find bugs, even more so when they are so public. The article reminds me to focus my efforts on proactive bug discovery using code reviews and static analysis.

Application Security: The view is better but still bleak

2011-07-18T18:08:00.000-07:00

As a development manager it is enough of a challenge to deliver applications on time and under budget. With the growing threats to web applications we need to build secure applicatons on time and under budget. That makes things a bit more complicated. While it is necessary to be proactive in security (because reactive security [i.e. Patch Tuesday]) is not working) via building security in to our software. Unfortunately, many are putting in the investment to do so as this new report from Forrester illustrates: http://blogs.msdn.com/b/sdl/archive/2011/07/12/application-security-2011-amp-beyond-a-forrester-research-report.aspx

This report shows that while people see software security as important, they choose to spend their money elsewhere. How can we show that software security is a true long term fix? Is there an equation to illustrate revenue? Will there ever come a day when software security is held as a requirement to software projects like the structural stability of a bridge?

I thought this report illustrates many interesting points about spending and how to position software security for investment in YOUR organization.

Marketing people consult with InfoSec prior to a stunt like this...

2011-06-20T17:23:00.000-07:00

I saw this on MSN first then on Sophos' Naked Security but both articles made me scratch my head a bit. BeautifulPeople.com is claiming that a virus permitted 30,000 ugly people to register on their site. The website's schtick is that only attractive people (rated by your peers) are permitted on the site to setup dates with other attractive people. Security professionals like Graham Cluley of Sophos are suspicious that this is simply a media stunt. (http://nakedsecurity.sophos.com/2011/06/20/beautifulpeople-dupes-mediashrek-virus-media-stunt/)

If I were the information security person at BeautifulPeople.com, I would think I would turn in my notice right now. This stunts seems to be begging for a hacker group to tear into them. I don't think drawing attention to your organization's security (or lack there of) is a wise idea in the current security landscape. The claim that a disgruntled developer loaded the virus in the system. This tells me that BeautifulPeople.com do not have adequate change management controls which are a foundation of keeping your production servers clean and functional. If you do not have change management in place, then there are probably some higher level security controls lacking as well.

While I am betting the whole thing is a hoax, I am curious to see who has the last laugh. I'm going to guess that BeautifulPeople.com just painted a target on their site and stay tuned to see when an "ugly" hacker takes the company down.

What's your royal wedding guest name?

2011-06-10T18:38:00.000-07:00

Start with Lord or Lady and the first name of one of your grandparents. Add a double-barreled, hyphenated combo surname consisting of the name of your first pet and the street you lived on as a child.

Does this sound like something that you would fill out? Are you trying to figure out your royal name? Are you sure this fun filled questionnaire is about your royal name or harvesting personal information?
Look again at the second question:

consisting of the name of your first pet
and the street you lived on as a child

These two questions are common questions for password recovery controls. While you are having fun concocting your royal name, someone is collecting a lot of information that can be used to pose as you online. In the past I have filled out many surveys to determine which superhero I would be or which Lord of the Rings character I most identify with but never had I seen a survey directly ask questions that other sites use to secure your account.

While these questions jumped out at my wife (I have programmed her well :) ), many users would probably not connect the dots. This is a great example of a point I make when discussing Social Networking/Media security: Keep your eye on the aggregate! Providing answers to these questions by themselves might not be a security issue but when combined with all the other data you put out into the Social Web it can be easy to have a compromised account.

As an example, suppose that I did fill out the royal name survey. When I fill out the survey and give the application (the Royal Name survey) application permission to my Profile, the application can access a lot of information from my Profile. From this information, an attacker can piece together a usage profile based on information you have provided Facebook. If I have an obvious like such as "Watching Netflix with my wife" then the attacker could try to access my Netflix account. What if they adjust my queues? That is a light hearted example but you get the point.

Playing on Facebook and other social media/networking sites can be fun but keep in mind what you are actually doing. Watch out for surveys that collect a little too much information and ALWAYS be mindful of the aggregate. Think about everything you are putting out to the Social Web and if your individual data points can tell more of a story than you really want strangers to know.

Newest publication! ScriptJunkies and jQuery

2011-03-16T16:13:00.000-07:00

I just had a new article published over at ScriptJunkies. For those not familiar, ScriptJunkies is a client side development site that focuses on HTML, CSS and JavaScript. If you are a web developer you need to get over to the site right away and read on of the many articles they have on improving your JavaScript, designing with HTML5 or CSS3.

My article is about Data Binding with jQuery. The article explores two plugins, $.tmpl and $.fn.DataBinder. $.tmpl is a jQuery plugin that allows the developers to bind data to a template. The data is JSON but could be anything with a bit of tweaking. $.fn.DataBinder is a plugin that my development team at MEDEX Global Solutions and I cooked up to do some standard tasks such as sorting, searching and paging the data. The plugins are easy to use and snap in pretty simply.

Let me know what you think about the article and if you have any questions on implementation, don't hesitate to post.

Twitter's case for growth

2010-07-30T17:54:00.000-07:00

Yeah I know this is a bit old, but I thought this was an interesting. As I understand, Twitter's challenge is in having their systems flooded with traffic yet they are not looking at a cloud solution.

"Twitter will have full control over network and systems configuration, with a much larger footprint in a building designed specifically around our unique power and cooling needs," the company's engineering blog noted. "Importantly, having our own data center will give us the flexibility to more quickly make adjustments as our infrastructure needs change.

While this is all well and good, I have to wonder if keeping the infrastructure in house is a wise decision. There description sounds exactly like why you want to use a cloud facility such as Windows Azure or Amazon Cloud. For those who do not know, using a cloud server system allows the client (in this case Twitter) to be agile in the number of servers they use. Cloud facilities also do some pretty amazing stuff with HVAC to keep the facility cool and thus, the servers functioning. So if a cloud service will take care of their business requirements without having the overhead of hardware, why wouldn't they go with a cloud solution?

On the other hand, you do lose control with a cloud. Keeping the system in-house will allow Twitter to have complete control over what is on the servers and who is accessing them. Administrative functions will also be able to stay in-house keeping Twitter in the know as to who is fixing their systems and building maintenance schedules.

What do you think, should Twitter go cloud?

http://news.cnet.com/8301-13577_3-20011315-36.html?tag=mncol;title

HTML 5 and CSS 3: New attack vectors

2010-07-18T18:04:00.000-07:00

My friend at work/designing guru Clint expounds on the qualities of HTML 5 and CSS 3. He makes the combo sound like the second coming in web design and maybe they are...but to me new technology = new threats. Around rounded corners and less javascript really worth opening a new pandora's box?

Recently SecureIdeas posted this link on Twitter that has a great exploit to do an XSS attack via HTML5's new features. http://bit.ly/bYMzLR

If you are not following @secureideas and you are into Information Security then get with that twit-feed :) They provide great resources and I've learned a lot from their 140 characters.

Social Media Metrics

2010-07-15T19:01:00.000-07:00

It seems like every company is building a social media strategy, but measuring success can be very subjective. Last night I found this excellent article on Social Media Today that explores "6 Social Media Metrics You Should be Tracking". The article is brief yet provides great information.
The article examines 3 measurements:

Activity: What are people doing on your social media site?
Interaction: How well does your audience interact with you?
Returns: How do your social media activities support your organization's success?

Just like an Economic Feasibility study, you measure each of these items from two mindsets - Quantitative & Qualitative. Quantitative being numeric, Qualitative being more generic/general. An example of a Quantitative Measure would be # of Posts (an example of Activity) because this can be counted and measured. More posts, more value to the client. An example of Qualitative would be Comments, showing that users are engaged in your activity. Mapping these two measuring methodologies provide the following matrix:

	Quantitative	Qualitative
Activity	# of Posts Update Frequency	Comments
Interactivity	# of Comments # of Followers/Fans # of Views Amount of user content	Customer Sentiment Learnings Buzz
Returns	# of Leads # of Sales	Success stories Learnings

These items are the examples from the Social Media Today article. These metrics are a key starting point for any business' social media strategy. Any business process should support the business some how, these metrics allow marketing staff to point to metrics for success.

What does this mean for security? As marketing can begin proving that social media is not only a valuable business initiative but critical to the continuity of effective marketing. Simply blocking social media and social networking sites will not be a sustainable answer. As Information Security professionals, we must enable business while ensuring the security of the organization. So...what are you doing for social media policy? Let me know your thoughts on Social Media Security Policy. If you need a spark of inspiration, here are some samples.

Social Media Today Article: http://socialmediatoday.com/mikebrown1/146589/6-social-media-metrics-you-should-be-tracking/
Sample Social Media Policies: http://www.csoonline.com/article/596966/sample-social-media-and-blogging-policies-from-other-sites-

Social Media Forensics

2010-07-13T19:34:00.000-07:00

I just finished watching a web presentation about social media forensics, or the collection of evidence through social media. This evidence could be used for legal purposes (which was the primary focus of the presentation) or can be simply collecting information about people. The presentation was very interesting because it discussed some topics that I have recently been thinking about in a more concrete, example way. I also found some of the tracking methodologies discussed interesting such as using Web Analytics data to identify a user who is trying to subvert detection via an Anonymizer (software that bounces your identity around the Internet to make it harder to track).

One example of evidence they gave was the blog posts of a lady who committed suicide. Her family claimed that the suicide was a result of medication that she was on. The pharma company tracked down blog posts that linked her suicide to a deeper (predating the medication usage) problem which exonerated the company of the wrongful death suite.This is an interesting use of a blog/social site to illustrate an existing condition, as if the dead were to speak in court.

Another topic was how posts and comments can illustrate character and credibility in a trial. Things people post or show via pictures can tell a lot about an individual's trustworthiness. This also can fall under the Evil Twin (sorry, I promise I won't tie everything back to this) defamation of character topic. Imagine how your character can be destroyed with a fake Facebook profile that is open to the public.

The challenge with using Social Media for evidence is that the content is so dynamic, it can be difficult to use a evidence. With an ever changing and dynamic nature, a page's content can change by the minute. This will require new forensic techniques and technologies to capture what was there and store it in a non-refutable manner.

A few ideas to keep an eye on your social media:

Consider employing your change management policies to Social Media (keep a good record of everything you do on these sites)
Keep a tight grip on Access Control (if you give out your user name and password...stop doing that!)
Consider recording everything (screen capture at all times could clear you of wrongful accusations)

Are these realistic for everyone? No, but they can be used in an enterprise. My key take aways from this web presentation - be careful what you post because they are watching with many eyes.

GAO says OSTP has Fatal System Error

2010-07-09T20:51:00.000-07:00

This week the Government Accountability Office (GAO) released a report stating that the White House Office of Science and Technology Policy has put the United States at risk for falling behind other countries in the area of cybersecurity. The report states that OSTP was tasked with developing a cybersecurity strategy and updating it annually in 2003 and as of yet, has not lived up to their responsibilities. While the report recognizes that OSTP is taking steps to build such a plan, "one does not currently exist", the report said.(1) Check out http://www.csoonline.com/article/598873/gao-white-house-failing-on-cybersecurity for more about this story.

This report is quite timely with this month's Economist magazine focusing on Cyberwar. The article examines how the United States and various other countries are building their cyberwar capabilities for an impending digital battleground. Some people believe that war is already upon us and that the United States is struggling to keep up. The United States has pulled a Microsoft in relation to cyberwar, they are late to the game and trying to catch up (as most governments are). A great example of this is in Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet in which the United States is not really sure how to deal with the various layers of cybercrime that the main character is trying to expose.

For the United States, the military might not be the best defense against cyberwarfare/cyberterrorism, business might be. When you consider how many huge Internet companies are based in the US, the powerful infrastructures they have built and the massive talent pool they employ, can the military keep pace? Who do you think is better prepared for a cyberterrorist attack, US Department of Health and Human Services or Google?

Let me know your thoughts, should government rely on business for cyberdefense capabilities?

(1) http://www.csoonline.com/article/598873/gao-white-house-failing-on-cybersecurity by Jaikumar Vijayan

InterSec: Where secure minds meet.

2010-07-08T19:43:00.000-07:00

If you are a memeber of the ISC2 or a security minded professional, head over to: https://isc2intersec.leveragesoftware.com and checkout InterSec. It is a really interesting site with tons of great content. If you're a member, here is my quick connect card. Shoot me a message and we can talk about some collaboration.

Evil Twin-ish: Who is Robin Sage

2010-07-07T19:32:00.000-07:00

I follow @secureideas on twitter and saw a posting for this Slashdot article:
http://it.slashdot.org/story/10/07/07/1439228/

To sum up, an information security professional created a facebook profile for a Ms. Robin Sage and then commenced connecting to a variety of people. One military connection provided a little too much detail on their facebook photos and gave away their Afghanistan position. Check out the facebook profile here:
http://www.facebook.com/robin.sage.641a

The profile is fairly believable. This is an example of an Evil Twin in the wild. An Evil Twin is a social networking profile that is meant to impersonate another person (usually a real person but not in this instance. that is why this is Evil Twin-ish). From what I'm gathering, this was done by a security professional who will be presenting at the Black Hat conference.I would be that this person did not read my article and that they just figured this out themselves.

For more information about Evil Twin check out:

Previous post (http://seccode.blogspot.com/2010/07/hakin9-birth-of-evil-twin.html)
Hakin9 Article about building an Evil Twin (http://bit.ly/dBzP1J)
Seven Deadliest Social Network Attacks (Syngress)

Social networking...if it looks like a person and talks like a person then...

Security Q&A: Is it a bad idea to use my real name on my blog?

2010-07-04T19:05:00.000-07:00

A lot of people are concerned now a days about privacy and the web. I was recently sent this:

I changed my blog address to have my name in it so people could find my blog easier. Do you think that's a bad idea? I've seen a lot of professional peers use their name on their blog and in their address. I couldn't get my original blog name to work as my address so I had a weird address before I changed it. Let me know what you think.

To answer this questions we need to analyze security and business. My question here is what is the business goal of the blog? In this case, the business need is for the blog to be able to be found easily with the goal being to spread this blogger's content/personal brand. The problem this person is facing is that the blog cannot be found because of a "weird name" that was used instead of the author's actual name. This is an example of "Security through Obscurity". The idea that something that cannot be found is secure.

The answer to this question is Yes use your name with a "but". Security through obscurity does not last. Someone, some way will put the pieces together and uncover the secret. A better approach is risk analysis/risk management. Analyze what you put out there (on your blog) and determine what this could tell a possible attacker about you. Determine your exposure and be aware. Your business in this instance is furthering your personal brand/blog content so focus on that. Make sure your blog is 100% focused on that business goal and you will be fine.

This is a great example of ISC2's quote: "Security transcends technology". Use your real name but be mindful about what you put out there for the world. Good luck with your blog!

Weak authentication could have won Daily Show tickets

2010-07-03T21:11:00.000-07:00

I am a big supporter of the Maryland Food Bank. Recently, I went to the Blue Jean Ball fundraiser which is a black tie event above the waste and jeans below. Interesting concept and enjoyable evening. I felt like a lot of people were under dressed but I am guessing those were the "my boss could not go so he/she gave me the tickets" and they didn't know how to dress (always research that).

The food was excellent. I had too many Tuna on Cucumber things but other than that it was a great night. A silent auction is held with all kinds of interesting prizes like golf trips, beach vacations, tours of the Walters (Maria and I won that last year :) ), etc... This year, as you came into the event the staff handed you a device (iPod Touch) that you could use to place your bids for the silent auction or donate to the Food Bank. Using your device you entered the auction item number and then the amount you were bidding. Neat idea, makes it more interesting to have a bidding war. When heading into the dinner area, I put the device in my pocket to hold my wife's purse (yep, you read that correctly). Pulling the device from my pocket I accidentally hit the home button, which took me out of the Bid Pal software. The device was not locked down. I now had access to the iPod Touch, Wi-Fi of the Food Bank, and the few other applications that were on the device.

I tried to reopen Bid Pal but could not, I needed an ID Number and password, neither of which I knew. So I went to the service desk for assistance. Told them my tale of woe and they said they could help. I needed to get back in to check on my bid for Daily Show tickets (I didn't win). The lady at the service desk asked me my phone number and then looked me up on a list. She said, 432 as she typed it in to the Bid Pal log in screen and handed me the device all set. She told me if it happens again, that my number is 432 and the password is my phone number.

Walking back to the table I noticed at the top right of the screen, 432...my ID number was right on the screen. When I sat down at my table I peered over to my neighbor and saw their number was 433. The person to my right was 434. The table was sequential in ID numbers. My friend and web design guru Clint was sitting across the table so I asked him his ID number, 437. I knew his phone number so I exited the application and sure enough, was able to login to the Bid Pal device as Clint. As you might guess, I could have posed as someone else to outbid the winner of the Daily Show tickets, written a bogus IOU and walked away with the tickets.

So how did Bid Pal allow this? They relied on two pieces of information to authenticate a user that could be found out by anyone. This event was targeted to business professionals. A simple guess that they used their work phone numbers (as many did...I asked) and a quick shoulder surf, I could have been anyone at that event.

How do they fix this...use device serial number instead of ID number. So when the user comes to retrieve the device, the device activates Bid Pal with the user id detected from the device (I'm guessing you can do this with iPod, if not, seriously Apple? That could be incredibly useful) and then the password is the phone number. This effectively builds dual factor authentication, something you have (the iPod Touch device) and something you know (the phone number). The iPhone 4 could even open up a biometric component to this but we won't go there. I would suggest Bid Pal updates their software because the next event, this might be discovered by someone not so unmalicious (is that a word?) as me. :)

On a side note, the interface to Bid Pal was really nice. Kudos to them on application/interface design but please improve the security.

Hakin9: Birth of an Evil Twin

2010-07-03T20:32:00.000-07:00

How do I know you are who you say you are? In Facebook, Twitter, LinkedIn...I don't. My latest article (July 2010) in Hakin9 magazine examines this topic, the Evil Twin attack. We step through the actions and activities necessary to create an Evil Twin in the hopes that Information Security professionals can take this and educate their workforce.

Let me know what you think. If you have a story about an Evil Twin experience, definately post that as well!

http://bit.ly/dBzP1J

ISSA Baltimore meeting (June)

2010-06-23T21:31:00.000-07:00

This Wednesday I had off school so I decided to visit the local ISSA chapter here in Baltimore. The presentation was on XML Firewalls and how they can be used to help secure web service traffic. Adam Vincent from Layer 7 was the presenter. I found the topic interesting due to my background as a developer and saw lots of uses for such technology in a SOA environment.

While the presentation was good, the food was excellent! This was my first ISSA meeting so I did not know what to expect. The people were friendly and welcoming, the refreshments were plentiful and I learned a lot in the process.

I recommend checking out the next Baltimore ISSA meeting to any b-morians interested in Information Security. The next meeting is July 28th and is the topic of "Protecting Your Applications from Backdoors". If you are planning on attending, drop a comment and I'll keep an eye out for you there!

Hakin9: Threat Modeling Basics

2010-04-30T20:28:00.000-07:00

Is your software secure? How do you know? In this month's Hakin9 Magazine, I explore the concept of Threat Modeling which is decomposing an application to analyze attack vectors. This is a process done during the design phase of a project so threats are identified long before a single line of code is written.

Drop me some comments and let me know what you think!

http://bit.ly/90u1V6

Class Presentation

2010-02-21T20:14:00.000-08:00

We had to do a class presentation for one of my grad school classes. Here is my presentation. I tried a different kind of style in the slides, everything is hand drawn. Let me know what you think.

New/Fun Technology

2010-02-12T19:31:00.001-08:00